edouard.paris / did-method-plc
Fork of github.com/did-method-plc/did-method-plc
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Prevent signature malleability (#54)

* prevent padding on signatures

* bump @atproto/crypto

* added test for padded sig

authored by

Daniel Holmgren and committed by
GitHub d192bbc3 a68a29b2

+18 -6
+1 -1
packages/lib/package.json
··· 32 32 }, 33 33 "dependencies": { 34 34 "@atproto/common": "0.3.0", 35 - "@atproto/crypto": "0.2.2", 35 + "@atproto/crypto": "0.3.0", 36 36 "@ipld/dag-cbor": "^7.0.3", 37 37 "axios": "^1.3.4", 38 38 "multiformats": "^9.6.4",
+3
packages/lib/src/operations.ts
··· 265 265 op: t.CompatibleOpOrTombstone, 266 266 ): Promise<string> => { 267 267 const { sig, ...opData } = op 268 + if (sig.endsWith('=')) { 269 + throw new InvalidSignatureError(op) 270 + } 268 271 const sigBytes = uint8arrays.fromString(sig, 'base64url') 269 272 const dataBytes = new Uint8Array(cbor.encode(opData)) 270 273 for (const didKey of allowedDidKeys) {
+9
packages/lib/tests/data.test.ts
··· 1 1 import { check, cidForCbor } from '@atproto/common' 2 2 import { P256Keypair, Secp256k1Keypair } from '@atproto/crypto' 3 + import * as ui8 from 'uint8arrays' 3 4 import { 4 5 GenesisHashError, 5 6 ImproperOperationError, ··· 135 136 136 137 it('does not allow operations from the signingKey', async () => { 137 138 const op = await operations.updateHandleOp(lastOp(), signingKey, 'at://bob') 139 + expect(data.validateOperationLog(did, [...ops, op])).rejects.toThrow( 140 + InvalidSignatureError, 141 + ) 142 + }) 143 + 144 + it('does not allow padded signatures', async () => { 145 + const op = await operations.updateHandleOp(lastOp(), signingKey, 'at://bob') 146 + op.sig = ui8.toString(ui8.fromString(op.sig, 'base64url'), 'base64urlpad') 138 147 expect(data.validateOperationLog(did, [...ops, op])).rejects.toThrow( 139 148 InvalidSignatureError, 140 149 )
+1 -1
packages/server/package.json
··· 36 36 }, 37 37 "dependencies": { 38 38 "@atproto/common": "0.3.0", 39 - "@atproto/crypto": "0.2.2", 39 + "@atproto/crypto": "0.3.0", 40 40 "@did-plc/lib": "*", 41 41 "axios": "^1.3.4", 42 42 "cors": "^2.8.5",
+4 -4
yarn.lock
··· 31 31 multiformats "^9.6.4" 32 32 pino "^8.6.1" 33 33 34 - "@atproto/crypto@0.2.2": 35 - version "0.2.2" 36 - resolved "https://registry.yarnpkg.com/@atproto/crypto/-/crypto-0.2.2.tgz#9832dda885512a36401d24f95990489f521593ef" 37 - integrity sha512-yepwM6pLPw/bT7Nl0nfDw251yVDpuhc0llOgD8YdCapUAH7pIn4dBcMgXiA9UzQaHA7OC9ByO5IdGPrMN/DmZw== 34 + "@atproto/crypto@0.3.0": 35 + version "0.3.0" 36 + resolved "https://registry.yarnpkg.com/@atproto/crypto/-/crypto-0.3.0.tgz#a79e05a85129810755f3456e9d419b49824407d7" 37 + integrity sha512-bhcxRTL4fgRY2YX/St0x4o0oDUp18QIPD7ek+7v8UKA0HpsCGQYbo8w9d9hUvwwty5X5p00cYF2tbggUWaPy7A== 38 38 dependencies: 39 39 "@noble/curves" "^1.1.0" 40 40 "@noble/hashes" "^1.3.1"